Background of the case
The judgment of Belgian Supreme Court is the latest development in a case concerning the lawfulness of the processing of personal data on the Belgian eID card for loyalty cards with associated discounts.
The initial decision of the Data Protection Authority
On 17 December 2019, the Belgian Data Protection Authority (BDPA) imposed a fine of EUR 10,000 on a retailer for unlawfully processing the personal data included on the Belgian eID card. It did so following a complaint from a customer who had refused to provide her eID card to the retailer. The BDPA found that the practice of processing the barcode of the eID card, which contains the national registry number of Belgian citizens, as well as their gender and date of birth, did not comply with the principle of minimal data processing. Additionally, there was no lawful processing in the absence of free consent of the data subject, as the retailer only gave discounts to customers who had a loyalty card, which was only possible if the eID card data were processed.
The appeal before the Markets Court
The retailer appealed the decision of the BDPA, after which the Market Courts ruled in its favour on 19 February 2020. We discussed this ruling in detail in a previous article.
The Market Courts held that no breach of the principles of minimal data processing and lawfulness could be identified, as the data of the person concerned were not actually processed by the retailer. The BDPA had also relied on the new eID legislation, which was not yet applicable at the time of the facts. In addition, it also indicated that the loss of discounts is not a disadvantage but a loss of a possible additional advantage. This would imply that there is still free consent, even if the data subject loses discounts when objecting to the processing of eID data in order to receive a loyalty card.
Decision of the Belgian Supreme Court
The BDPA appealed the decision of the Market Court, following which the Supreme Court ruled on 7 October 2021, this time in favour of the BDPA.
The Supreme ruled on two important points:
- The power of the BDPA to establish infringements in the absence of actual processing of complainant's data; and
- The free nature of GDPR consent.
On the first point, the Supreme Court ruled that a data subject always has the right to lodge a complaint, in particular based on the principles of minimal data processing and lawfulness, even if his/her personal data are not effectively processed but he/she has not obtained a benefit or service precisely because he/she did not consent to the processing of personal data.
As a result, the BDPA can launch an investigation and take action against a GDPR-infringing practice, even if it has been brought to its attention by a person whose data have not been processed.
Note that the BDPA can also at all times decide to act on its own initiative when there are serious indications of a GDPR infringement. In other words, it can also act outside the scope of complaints and, in response to a complaint, it can expand the scope of its investigation beyond the complaint alone.
On the second point, the Supreme Court ruled that the Markets Court did not sufficiently justify its decision by not investigating the actual free nature of the consent, but only stating (i) that no personal data were actually processed, and (ii) that not receiving a discount is not a disadvantage/detriment but only the loss of an extra advantage without the need for an alternative. The Supreme Court does not, however, provide any further guidance on the thin line between a disadvantage/detriment, on the one hand, and the loss of an additional advantage, on the other hand, in order to determine whether GDPR consent is deemed to be ‘freely given’.
What does this mean for your company?
If you would like to use the eID card of your customers in the context of customer registration, loyalty programmes and discounts, consider at least the following points:
- Minimal data processing: you should only process data necessary for the intended purpose, i.e. you should limit yourself to data that are relevant for creating loyalty cards and providing discounts and promotions. The eID card contains a range of personal data that can be read, including first name and surname, address, nationality, date and place of birth, gender and national registration number. The processing of the national registration number in particular should be avoided where possible.
- Free consent: Since loyalty cards are part of a company's promotional practices, the obvious legal basis for the processing is consent. However, to be able to rely on “free” consent, the data subject must not suffer any ‘detriment’ as a result of not giving or withdrawing consent. It is not always easy to balance an actual detriment against a missed extra benefit. It is therefore recommended to always offer an alternative means of receiving a loyalty card (e.g. by completing the required data manually or via a form).
- Permission for marketing purposes: do you also want to use the contact data for marketing purposes, such as advertising by e-mail and newsletters? Be sure to obtain the customer's specific, separate consent for this purpose.
- Information obligation: finally, always ensure that the customer is clearly informed about which data are being processed, for which purposes and on which basis, and that he/she knows how and via which channel he/she can exercise data subject rights and withdraw the given consent.